2006-08-22

Now, where did I put my keys...

plans to bring into force a controversial power that can require the disclosure of an encryption key on pain of five years' imprisonment.

These powers derive from the UK's Regulation of Investigatory Powers Act of 2000, amended by the Terrorism Act of 2006, according to the Register article. No doubt, recent events have not cooled the ardour of the government in London in this regard.

What, however, about public-key cryptography (PKC)? Say I needed to receive a secret message from a putative cousin in Cardiff. To this end, I might have provided her with my public key which she would be able to use to encrypt the message which she'd dispatch to me, and presumably store (encrypted) in her e-mail's Sent folder. Should I receive the message, I would use my private key to decrypt it. Now, assume the Welsh police raid her house and ask her to provide a key for decrypting the message she had sent to me earlier. She would certainly not be able to provide such a key - as she had never had it in the first place. In PKC, the key that is used to encrypt the message is not sufficient for its decryption. Now, the Welsh police might seek the private key from me in Pretoria, but what jurisdiction do they have? And would the South Afrian authorities extradite me for a crime which - hold on - took place in a country in which I did not find myself at the time, exercising my (in SA) constitutional right to privacy? One would hope not.

It seems that authorities everywhere are still surprised and shocked when a tool that is useful in business and everyday life turns out to be of use to criminals - even more so when the authorities have little familiarity with the technology in question. I am a bit surprised, actually, that the umbrella and the flashlight have not yet been more strictly regulated.